Retab all the things (except external/)
This commit is contained in:
Tab Assassin
@@ -15,8 +15,8 @@ require 'open-uri'
|
||||
require 'timeout'
|
||||
|
||||
def usage
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
input = ARGV.shift() || usage()
|
||||
@@ -25,32 +25,32 @@ res = ""
|
||||
doc = Hpricot(File.open(input))
|
||||
doc.search("//form").each do |form|
|
||||
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
end
|
||||
|
||||
$stdout.puts res
|
||||
|
||||
@@ -15,72 +15,72 @@ require 'open-uri'
|
||||
require 'timeout'
|
||||
|
||||
def usage
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
sitelist = ARGV.shift() || usage()
|
||||
output = ARGV.shift() || usage()
|
||||
|
||||
File.readlines(sitelist).each do |site|
|
||||
site.strip!
|
||||
next if site.length == 0
|
||||
next if site =~ /^#/
|
||||
|
||||
out = File.join(output, site + ".txt")
|
||||
File.unlink(out) if File.exists?(out)
|
||||
|
||||
fd = File.open(out, "a")
|
||||
|
||||
site.strip!
|
||||
next if site.length == 0
|
||||
next if site =~ /^#/
|
||||
|
||||
out = File.join(output, site + ".txt")
|
||||
File.unlink(out) if File.exists?(out)
|
||||
|
||||
fd = File.open(out, "a")
|
||||
|
||||
|
||||
["", "www."].each do |prefix|
|
||||
begin
|
||||
Timeout.timeout(10) do
|
||||
doc = Hpricot(open("http://#{prefix}#{site}/"))
|
||||
doc.search("//form").each do |form|
|
||||
["", "www."].each do |prefix|
|
||||
begin
|
||||
Timeout.timeout(10) do
|
||||
doc = Hpricot(open("http://#{prefix}#{site}/"))
|
||||
doc.search("//form").each do |form|
|
||||
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
|
||||
fd.write(res)
|
||||
end
|
||||
end
|
||||
break
|
||||
rescue ::Timeout::Error
|
||||
$stderr.puts "#{prefix}#{site} timed out"
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
|
||||
end
|
||||
end
|
||||
|
||||
fd.close
|
||||
|
||||
File.unlink(out) if (File.size(out) == 0)
|
||||
fd.write(res)
|
||||
end
|
||||
end
|
||||
break
|
||||
rescue ::Timeout::Error
|
||||
$stderr.puts "#{prefix}#{site} timed out"
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
|
||||
end
|
||||
end
|
||||
|
||||
fd.close
|
||||
|
||||
File.unlink(out) if (File.size(out) == 0)
|
||||
|
||||
end
|
||||
|
||||
@@ -8,71 +8,71 @@
|
||||
|
||||
class SnifferFTP < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(220\s*[^\r\n]+)/i,
|
||||
:user => /^USER\s+([^\s]+)/i,
|
||||
:pass => /^PASS\s+([^\s]+)/i,
|
||||
:login_pass => /^(230\s*[^\n]+)/i,
|
||||
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
||||
:bye => /^221/
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(220\s*[^\r\n]+)/i,
|
||||
:user => /^USER\s+([^\s]+)/i,
|
||||
:pass => /^PASS\s+([^\s]+)/i,
|
||||
:login_pass => /^(230\s*[^\n]+)/i,
|
||||
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
||||
:bye => /^221/
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
|
||||
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "ftp"
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
|
||||
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "ftp"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
case matched
|
||||
|
||||
when :login_fail
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
when :login_fail
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
|
||||
s[:pass] = ""
|
||||
return
|
||||
end
|
||||
s[:pass] = ""
|
||||
return
|
||||
end
|
||||
|
||||
when :login_pass
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s)
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
# Remove it form the session objects so freeup memory
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when :login_pass
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s)
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
# Remove it form the session objects so freeup memory
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
|
||||
when :banner
|
||||
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
||||
if not (s[:info])
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
end
|
||||
when :banner
|
||||
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
||||
if not (s[:info])
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
end
|
||||
|
||||
when :bye
|
||||
sessions.delete(s[:session])
|
||||
when :bye
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
||||
@@ -9,72 +9,72 @@
|
||||
|
||||
class SnifferIMAP < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(\*\s+OK[^\n\r]*)/i,
|
||||
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
|
||||
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
|
||||
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
|
||||
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(\*\s+OK[^\n\r]*)/i,
|
||||
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
|
||||
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
|
||||
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
|
||||
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
def parse(pkt)
|
||||
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
|
||||
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "imap4"
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
|
||||
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "imap4"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if (pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = [$1,$2]
|
||||
end
|
||||
if (pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = [$1,$2]
|
||||
end
|
||||
|
||||
case matched
|
||||
when :banner
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
case matched
|
||||
when :banner
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
|
||||
when :login_pass
|
||||
when :login_pass
|
||||
|
||||
report_auth_info(s)
|
||||
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
report_auth_info(s)
|
||||
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login_fail
|
||||
when :login_fail
|
||||
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login_bad
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
when :login_bad
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login
|
||||
s[:user]=$1
|
||||
s[:pass]=$2
|
||||
when :login
|
||||
s[:user]=$1
|
||||
s[:pass]=$2
|
||||
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
||||
@@ -6,83 +6,83 @@
|
||||
# as unsuccessful logins... (Typos are common :-) )
|
||||
#
|
||||
class SnifferPOP3 < BaseProtocolParser
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:ok => /^(\+OK[^\n]*)\n/i,
|
||||
:err => /^(\-ERR[^\n]*)\n/i,
|
||||
:user => /^USER\s+([^\n]+)\n/i,
|
||||
:pass => /^PASS\s+([^\n]+)\n/i,
|
||||
:quit => /^(QUIT\s*[^\n]*)\n/i
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:ok => /^(\+OK[^\n]*)\n/i,
|
||||
:err => /^(\-ERR[^\n]*)\n/i,
|
||||
:user => /^USER\s+([^\n]+)\n/i,
|
||||
:pass => /^PASS\s+([^\n]+)\n/i,
|
||||
:quit => /^(QUIT\s*[^\n]*)\n/i
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
|
||||
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
|
||||
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
when :ok
|
||||
# Last command was successful, in addition most servers transmit a banner with the first +OK
|
||||
case s[:last]
|
||||
when nil
|
||||
# Its the first +OK must include the banner, worst case its just +OK
|
||||
s[:info] = matches
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
report_service(s)
|
||||
case matched
|
||||
when :ok
|
||||
# Last command was successful, in addition most servers transmit a banner with the first +OK
|
||||
case s[:last]
|
||||
when nil
|
||||
# Its the first +OK must include the banner, worst case its just +OK
|
||||
s[:info] = matches
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
report_service(s)
|
||||
|
||||
when :user
|
||||
# When the last command was a username login
|
||||
# We might keep track on this one in future
|
||||
when :pass
|
||||
# Perfect we get an +OK after a PASS command this means right password given :-)
|
||||
when :user
|
||||
# When the last command was a username login
|
||||
# We might keep track on this one in future
|
||||
when :pass
|
||||
# Perfect we get an +OK after a PASS command this means right password given :-)
|
||||
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :quit
|
||||
# The session is terminated by the user just delete is as well
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
s[:last]=:ok
|
||||
when :quit
|
||||
# The session is terminated by the user just delete is as well
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
s[:last]=:ok
|
||||
|
||||
when :err
|
||||
case s[:last]
|
||||
when :pass
|
||||
# Oops got a -ERR after a pass so its crap ignore the pass
|
||||
# But report it, might be helpfull for guessing :-)
|
||||
when :err
|
||||
case s[:last]
|
||||
when :pass
|
||||
# Oops got a -ERR after a pass so its crap ignore the pass
|
||||
# But report it, might be helpfull for guessing :-)
|
||||
|
||||
s[:proto]="pop3"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:pass]=""
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
s[:last]=matched
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
s[:proto]="pop3"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:pass]=""
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
s[:last]=matched
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
||||
+178
-178
@@ -6,206 +6,206 @@
|
||||
|
||||
#Memo :
|
||||
#FOR SMBV1
|
||||
# Authentification without extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
|
||||
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
|
||||
# Authentification without extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
|
||||
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
|
||||
|
||||
# Authentification with extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
|
||||
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
|
||||
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
|
||||
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
|
||||
# Authentification with extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
|
||||
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
|
||||
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
|
||||
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
|
||||
#FOR SMBV2
|
||||
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
|
||||
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
|
||||
|
||||
class SnifferSMB < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:smb1_negotiate => /\xffSMB\x72/n,
|
||||
:smb1_setupandx => /\xffSMB\x73/n,
|
||||
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
|
||||
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:smb1_negotiate => /\xffSMB\x72/n,
|
||||
:smb1_setupandx => /\xffSMB\x73/n,
|
||||
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
|
||||
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
|
||||
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
|
||||
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
when :smb1_negotiate
|
||||
payload = pkt.payload.dup
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#negotiate response
|
||||
if wordcount == 17
|
||||
flags2 = payload[14,2].unpack("v")[0]
|
||||
#the server challenge is here
|
||||
if flags2 & 0x800 == 0
|
||||
s[:challenge] = payload[73,8].unpack("H*")[0]
|
||||
s[:last] = :smb1_negotiate
|
||||
end
|
||||
end
|
||||
case matched
|
||||
when :smb1_negotiate
|
||||
payload = pkt.payload.dup
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#negotiate response
|
||||
if wordcount == 17
|
||||
flags2 = payload[14,2].unpack("v")[0]
|
||||
#the server challenge is here
|
||||
if flags2 & 0x800 == 0
|
||||
s[:challenge] = payload[73,8].unpack("H*")[0]
|
||||
s[:last] = :smb1_negotiate
|
||||
end
|
||||
end
|
||||
|
||||
when :smb1_setupandx
|
||||
s[:smb_version] = "SMBv1"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when :smb2_setupandx
|
||||
s[:smb_version] = "SMBv2"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
when :smb1_setupandx
|
||||
s[:smb_version] = "SMBv1"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when :smb2_setupandx
|
||||
s[:smb_version] = "SMBv2"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
|
||||
#ntlmv1, ntlmv2 or ntlm2_session
|
||||
def detect_ntlm_ver(lmhash, ntlmhash)
|
||||
return "NTLMv2" if ntlmhash.length > 48
|
||||
if lmhash.length == 48 and ntlmhash.length == 48
|
||||
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
|
||||
return "NTLM2_SESSION"
|
||||
else
|
||||
return "NTLMv1"
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Unknow hash type"
|
||||
end
|
||||
end
|
||||
#ntlmv1, ntlmv2 or ntlm2_session
|
||||
def detect_ntlm_ver(lmhash, ntlmhash)
|
||||
return "NTLMv2" if ntlmhash.length > 48
|
||||
if lmhash.length == 48 and ntlmhash.length == 48
|
||||
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
|
||||
return "NTLM2_SESSION"
|
||||
else
|
||||
return "NTLMv1"
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Unknow hash type"
|
||||
end
|
||||
end
|
||||
|
||||
def parse_sessionsetup(pkt, s)
|
||||
payload = pkt.payload.dup
|
||||
ntlmpayload = payload[/NTLMSSP\x00.*/m]
|
||||
if ntlmpayload
|
||||
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
|
||||
case ntlmmessagetype
|
||||
when 2 # challenge
|
||||
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
|
||||
s[:last] = :ntlm_type2
|
||||
when 3 # auth
|
||||
if s[:last] == :ntlm_type2
|
||||
lmlength = ntlmpayload[12, 2].unpack("v")[0]
|
||||
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
|
||||
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
|
||||
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
|
||||
domainlength = ntlmpayload[28, 2].unpack("v")[0]
|
||||
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
|
||||
usrlength = ntlmpayload[36, 2].unpack("v")[0]
|
||||
usroffset = ntlmpayload[40, 2].unpack("v")[0]
|
||||
def parse_sessionsetup(pkt, s)
|
||||
payload = pkt.payload.dup
|
||||
ntlmpayload = payload[/NTLMSSP\x00.*/m]
|
||||
if ntlmpayload
|
||||
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
|
||||
case ntlmmessagetype
|
||||
when 2 # challenge
|
||||
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
|
||||
s[:last] = :ntlm_type2
|
||||
when 3 # auth
|
||||
if s[:last] == :ntlm_type2
|
||||
lmlength = ntlmpayload[12, 2].unpack("v")[0]
|
||||
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
|
||||
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
|
||||
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
|
||||
domainlength = ntlmpayload[28, 2].unpack("v")[0]
|
||||
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
|
||||
usrlength = ntlmpayload[36, 2].unpack("v")[0]
|
||||
usroffset = ntlmpayload[40, 2].unpack("v")[0]
|
||||
|
||||
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
|
||||
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
|
||||
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
|
||||
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
|
||||
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
|
||||
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
|
||||
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
|
||||
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
|
||||
|
||||
secbloblength = payload[51,2].unpack("v")[0]
|
||||
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
s[:peer_os] = names[0] || ''
|
||||
s[:peer_lm] = names[1] || ''
|
||||
s[:last] = :ntlm_type3
|
||||
end
|
||||
end
|
||||
else
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#authentification without smb extended security (smbmount, msf server capture)
|
||||
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
|
||||
lmlength = payload[51,2].unpack("v")[0]
|
||||
ntlmlength = payload[53,2].unpack("v")[0]
|
||||
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
|
||||
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
|
||||
|
||||
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
secbloblength = payload[51,2].unpack("v")[0]
|
||||
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
s[:peer_os] = names[0] || ''
|
||||
s[:peer_lm] = names[1] || ''
|
||||
s[:last] = :ntlm_type3
|
||||
end
|
||||
end
|
||||
else
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#authentification without smb extended security (smbmount, msf server capture)
|
||||
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
|
||||
lmlength = payload[51,2].unpack("v")[0]
|
||||
ntlmlength = payload[53,2].unpack("v")[0]
|
||||
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
|
||||
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
|
||||
|
||||
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
|
||||
s[:user] = names[0]
|
||||
s[:domain] = names[1]
|
||||
s[:peer_os] = names[2]
|
||||
s[:peer_lm] = names[3]
|
||||
s[:last] = :smb_no_ntlm
|
||||
else
|
||||
#answer from server
|
||||
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
|
||||
#do not output anonymous/guest logging
|
||||
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
|
||||
#set lmhash to a default value if not provided
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
|
||||
s[:user] = names[0]
|
||||
s[:domain] = names[1]
|
||||
s[:peer_os] = names[2]
|
||||
s[:peer_lm] = names[3]
|
||||
s[:last] = :smb_no_ntlm
|
||||
else
|
||||
#answer from server
|
||||
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
|
||||
#do not output anonymous/guest logging
|
||||
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
|
||||
#set lmhash to a default value if not provided
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
|
||||
|
||||
smb_status = payload[9,4].unpack("V")[0]
|
||||
if smb_status == 0 # success
|
||||
smb_status = payload[9,4].unpack("V")[0]
|
||||
if smb_status == 0 # success
|
||||
|
||||
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
|
||||
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
|
||||
|
||||
logmessage =
|
||||
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
|
||||
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
|
||||
"SERVER CHALLENGE:#{s[:challenge]} " +
|
||||
"\nLMHASH:#{s[:lmhash]} " +
|
||||
"\nNTHASH:#{s[:ntlmhash]}\n"
|
||||
print_status(logmessage)
|
||||
logmessage =
|
||||
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
|
||||
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
|
||||
"SERVER CHALLENGE:#{s[:challenge]} " +
|
||||
"\nLMHASH:#{s[:lmhash]} " +
|
||||
"\nNTHASH:#{s[:ntlmhash]}\n"
|
||||
print_status(logmessage)
|
||||
|
||||
src_ip = s[:client_host]
|
||||
dst_ip = s[:host]
|
||||
# know this is ugly , last code added :-/
|
||||
smb_db_type_hash = case ntlm_ver
|
||||
when "NTLMv1" then "smb_netv1_hash"
|
||||
when "NTLM2_SESSION" then "smb_netv1_hash"
|
||||
when "NTLMv2" then "smb_netv2_hash"
|
||||
end
|
||||
# DB reporting
|
||||
report_auth_info(
|
||||
:host => dst_ip,
|
||||
:port => 445,
|
||||
:sname => 'smb',
|
||||
:user => s[:user],
|
||||
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
|
||||
:type => smb_db_type_hash,
|
||||
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
|
||||
:active => true
|
||||
)
|
||||
src_ip = s[:client_host]
|
||||
dst_ip = s[:host]
|
||||
# know this is ugly , last code added :-/
|
||||
smb_db_type_hash = case ntlm_ver
|
||||
when "NTLMv1" then "smb_netv1_hash"
|
||||
when "NTLM2_SESSION" then "smb_netv1_hash"
|
||||
when "NTLMv2" then "smb_netv2_hash"
|
||||
end
|
||||
# DB reporting
|
||||
report_auth_info(
|
||||
:host => dst_ip,
|
||||
:port => 445,
|
||||
:sname => 'smb',
|
||||
:user => s[:user],
|
||||
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
|
||||
:type => smb_db_type_hash,
|
||||
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
|
||||
:active => true
|
||||
)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_os",
|
||||
:data => s[:peer_os]
|
||||
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_os",
|
||||
:data => s[:peer_os]
|
||||
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_lm",
|
||||
:data => s[:peer_lm]
|
||||
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_lm",
|
||||
:data => s[:peer_lm]
|
||||
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_domain",
|
||||
:data => s[:domain]
|
||||
) if (s[:domain] and s[:domain].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_domain",
|
||||
:data => s[:domain]
|
||||
) if (s[:domain] and s[:domain].strip.length > 0)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
s[:last] = nil
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
s[:last] = nil
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -6,43 +6,43 @@
|
||||
|
||||
# Sniffer class for GET URL's
|
||||
class SnifferURL < BaseProtocolParser
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
|
||||
:webhost => /^HOST\:\s+([^\n\r]+)/i,
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
|
||||
:webhost => /^HOST\:\s+([^\n\r]+)/i,
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediantly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
|
||||
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediantly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
|
||||
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
self.sigs.each_key do |k|
|
||||
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end
|
||||
|
||||
case matched
|
||||
when :webhost
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
if(s[:get])
|
||||
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
case matched
|
||||
when :webhost
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
if(s[:get])
|
||||
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of URL sniffer
|
||||
|
||||
|
||||
Reference in New Issue
Block a user